Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. The Death Of A Firewall (James Paterson)
2. RE: SSH brute force attack (Mark Ness)
3. Re: Opinion: Worst interface ever. (Dave Piscitello)
4. Checkpoint VPN (QTR)
5. RE: Firewall Log Analysis - Computer vs. Human (Paul Melson)
--__--__--
Message: 1
Date: Sat, 9 Jul 2005 17:33:10 -0400
From: "James Paterson" <jpaterson@datamirror.com>
To: <firewall-wizards@honor.icsalabs.com>
Subject: [fw-wiz] The Death Of A Firewall
http://www.securitypipeline.com/165700439
Be interesting to get the communities take on this article.
--__--__--
Message: 2
Date: Sat, 09 Jul 2005 21:51:20 -0700
From: Mark Ness <noneinc@gte.net>
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] RE: SSH brute force attack
Mathew Want wrote:
>I would like to hear any suggestions or thoughts anyone may have on this....
There is a script to blacklist Illegal attacks at
http://www.bwongar.com/articles/105
--__--__--
Message: 3
From: "Dave Piscitello" <dave@corecom.com>
To: firewall-wizards-admin@honor.icsalabs.com
Date: Mon, 11 Jul 2005 02:34:18 -0400
Subject: Re: [fw-wiz] Opinion: Worst interface ever.
Reply-To: dave@corecom.com
Cc: StefanDorn@bankcib.com, firewall-wizards@icsalabs.com
I'm not certain why this thread has persisted
I've been largely and politely silent because (a) I consult to
WatchGuard and (b) thought this kind of discussion was off limits.
I've used every WGRD model since the FB II and frankly, lots of the
comments posted here are difficult for me to accept given my
considerably more positive experience.
Is it now open season? Can I begin a per vendor thread on all the
awful experiences I've had with other vendor firewalls, including
several that have been mentioned already in this thread?
Or can we declare the horse is dead and move on?
--__--__--
Message: 4
Date: Tue, 12 Jul 2005 10:09:26 -0400
From: QTR <tmwhitm@gmail.com>
Reply-To: QTR <tmwhitm@gmail.com>
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] Checkpoint VPN
Hello, I was wondering if someone could point me in the right
direction. I have come off a long run of managing Cyberguard
firewalls and am now in the Checkpoint realm, so forgive my ignorance.
I am having an issue with secure client. I have several SoHo users
whose default routers place them on a 172.16.0.0 network. These users
cannot connect to the gateway. Dumps on the checkpoint fw gateway
show no incoming packets and a dump on the client show udp 500 leaving
the client, which leads me to the router/firewall @ the SoHo. Router
makes vary, anywhere from 2wire to netgear, the result is the same. I
initially thought it had something to do with the routing topology
since our topology pushes a static route for a 172 network, but I had
the SoHo router changed to a 10 network that is statically routed in
the topology and that worked fine. At this point I am at a loss. Any
suggestions would be appreciated.
Thank you,
--__--__--
Message: 5
From: "Paul Melson" <pmelson@gmail.com>
To: "'Adrian Grigorof'" <adi@grigorof.com>,
<firewall-wizards@icsalabs.com>
Subject: RE: [fw-wiz] Firewall Log Analysis - Computer vs. Human
Date: Mon, 11 Jul 2005 11:52:54 -0400
Only a human can be pissed when his or her pager goes off at 3am. :-) The
rest of the "analysis" of any specific conditions or cases can be done with
software because it's based on static or logical conditions. For that
matter, it should be done with software.
Log analysis is a loathesome job if you slog through the same junk day in
and day out. It's also pretty easy to get blinded to subtle anomalies when
you are drowning in logs. Therefore, it makes the most sense to me to use
software to reduce the 'noise' or at least convert it into useful
information (like event counts, event count deltas, event count averages
over time, etc.). The end result should be that any human performing log
analysis should only be looking at individual events that are specifically
identified as significant or are not identified as being insignificant - the
former requiring some sort of action, and the latter requiring at least some
form of additional investigation.
PaulM
-----Original Message-----
We are trying to develop a log analyzer that would "replicate" a human's
approach to log analysis - by that I mean the fact that a human can
correlate information in the log with other factors (like - "hmm, the log
says that the firewall was restarted at 12:03 PM"... oh, yeah, it was that
UPS failure yesterday around noon). For this particular example, the log
analyzer could say in the report: "12:03 PM - Firewall restarted - Possible
power failure, power disconnection or manual restart" - a bit vague I agree
but it is better than nothing - and in fact, this is what the firewall
admin would go through, right? Thinking, "Why would there be a restart? I
did not restart it.. anything happened at noon? The UPS failure!". Or for
example, instead of saying IP 123.123.123.123 was denied for protocol
TCP/8543 and let the firewall admin worry about it maybe the analyzer should
do a bit of analysis, check the "history", see that this protocol is not
something commonly used, it's not one of the common worms and decide to
report that it is in fact a stray TCP packet caused by Internet latency (TCP
port higher than 1024, not a "known protocol", coming from an IP address
that is typically accessed by internal IPs via HTTP - all this information
is should be obtainable from the logs).
Now, the question is, what are the things (in your opinion) that only a
human can do?
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment